In Java we are using ganymed-ssh2-build210.jar for connecting to the server via ssh. I need to restrict the weaker algorithm " diffie-hellman-group1-sha1 " specifically.
Is there any customizable settings in ganymed-ssh2-build210.jar that allows to restrict this ?
Is there any java.security setting available for restricting the same ?
On
If you cannot control the server but the library on the client.
Following might be an option
ch/ethz/ssh2/transport/KexManager.java to not support anymore diffie-hellman-group1-sha1ganymed-ssh2-build210_1.jar and use this one with the client applicationedit Find a step-by-step instruction to verify the above.
Assume following structure
bin/
apache-sshd-1.6.0.tar.gz
ganymed-ssh2-build210.jar
ganymed-ssh2-build210-sources.jar
SshClientDemo.java
SshServerDemo.java
SshServerDemo.java
package sub.optimal;
import java.nio.file.Paths;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.kex.KeyExchange;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
import org.apache.sshd.server.scp.ScpCommandFactory;
import org.apache.sshd.server.shell.InteractiveProcessShellFactory;
import org.apache.sshd.server.shell.ProcessShellFactory;
public class SshServerDemo extends Thread {
public static void main(String[] args) throws Exception {
Logger.getGlobal().setLevel(Level.FINEST);
SshServer sshd = SshServer.setUpDefaultServer();
sshd.setPort(2222);
sshd.setKeyPairProvider(
new SimpleGeneratorHostKeyProvider(Paths.get("hostkey.ser"))
);
sshd.setShellFactory(InteractiveProcessShellFactory.INSTANCE);
sshd.setCommandFactory(
new ScpCommandFactory.Builder().withDelegate(
cmd -> new ProcessShellFactory(
GenericUtils.split(cmd, ' ')
).create()
).build()
);
List<NamedFactory<KeyExchange>> keyExchangeFactories;
keyExchangeFactories = sshd.getKeyExchangeFactories();
keyExchangeFactories.removeIf(
e -> !e.getName().equals("diffie-hellman-group1-sha1")
);
sshd.setKeyExchangeFactories(keyExchangeFactories);
sshd.setPasswordAuthenticator(
(username, password, session) -> username.equals(password)
);
sshd.start();
Thread.sleep(Long.MAX_VALUE);
}
}
SshClientDemo.java
package sub.optimal;
import ch.ethz.ssh2.Connection;
import ch.ethz.ssh2.Session;
import ch.ethz.ssh2.StreamGobbler;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class SshClientDemo {
public static void main(String[] args) throws Exception {
Connection conn = new Connection("localhost", 2222);
conn.connect();
boolean isAuthenticated = conn.authenticateWithPassword("foo", "foo");
Session sess = conn.openSession();
System.out.println("session is authenticated: " + isAuthenticated);
sess.execCommand("echo I'm there...");
InputStream stdout = new StreamGobbler(sess.getStdout());
BufferedReader br = new BufferedReader(new InputStreamReader(stdout));
while (true) {
String line = br.readLine();
if (line == null) {
break;
}
System.out.println(line);
}
sess.close();
conn.close();
}
}
extract the Apache server
tar xzf apache-sshd-1.6.0.tar.gz
compile the demo classes
javac -cp "apache-sshd-1.6.0/lib/*" -d bin/ SshServerDemo.java
javac -cp ganymed-ssh2-build210.jar -d bin/ SshClientDemo.java
extract the KexManager.java
jar vxf ganymed-ssh2-build210-sources.jar \
ch/ethz/ssh2/transport/KexManager.java
modify the file KexManager.java
public static final String[] getDefaultKexAlgorithmList() {
return new String[] {
"diffie-hellman-group-exchange-sha1",
"diffie-hellman-group14-sha1"// ,
// "diffie-hellman-group1-sha1"
};
}
...
public static final void checkKexAlgorithmList(String[] algos)
...
if ("diffie-hellman-group14-sha1".equals(algos[i]))
continue;
// if ("diffie-hellman-group1-sha1".equals(algos[i]))
// continue;
...
compile the patched KexManager.java
javac -cp ganymed-ssh2-build210.jar ch/ethz/ssh2/transport/KexManager.java
create a patched library
cp ganymed-ssh2-build210.jar ganymed-ssh2-build210-patched.jar
jar vuf ganymed-ssh2-build210-patched.jar \
ch/ethz/ssh2/transport/KexManager.class
in command line session ONE
start the server
java -cp "bin/:apache-sshd-1.6.0/lib/*" sub.optimal.SshServerDemo
in command line session TWO
check first the key exchange algos supported by the server
ssh -vv foo@localhost -p 2222
in the output only the diffie-hellman-group1-sha1 is reported
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1
run the client with the un-patched library
java -cp bin/:ganymed-ssh2-build210.jar sub.optimal.SshClientDemo
output
session is authenticated: true
I'm there...
run the client with the patched library
java -cp bin/:ganymed-ssh2-build210-patched.jar sub.optimal.SshClientDemo
output
Caused by: java.io.IOException: Cannot negotiate, proposals do not match.
on the server log
Unable to negotiate key exchange for kex algorithms \
(client: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 \
/ server: diffie-hellman-group1-sha1)
That proves that the SshClientDemo with the patched library cannot use the key exchange algorithm diffie-hellman-group1-sha1 to connect to the server (which for the PoC only support this one).
You want to change allowed ciphers on the server rather than in your client, otherwise anyone can bypass this easily.
Check answer: https://unix.stackexchange.com/questions/333728/ssh-how-to-disable-weak-ciphers